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ROP  Mitigations 


EMET  4.0  provides  application-specific  ROP 
mitigations 

•  LoadLibrary 

•  MemProt 

•  Caller 

•  SimExecFlow 

•  StackPivot 
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LoadLibrary 


Extra  checking  when  loading  a  library. 

•  e.g. don’t  allow  loading  from  a  UNC  path 


'CERT  Software  Engineering  Institute  Carnegie  Mellon 


4 


Memprot 


Check  memory  protection  functions  like  Virtual  Protect 
to  make  sure  they  are  not  doing  things  like  marking 
stack  as  executable. 


Software  Engineering  Institute 


Carnegie  Mellon 


5 


Caller 


Before  critical  API  functions  called,  disassemble 
backwards  to  verify  that  target  function  is  called. 

•  Don’t  allow  return  into  function  (“Return”  of  ROP) 
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SimExecFlow 


Forward  execution  simulation  to  verify  normal 
program  execution  flow. 
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StackPivot 


When  entering  a  critical  function,  make  sure  that 
stack  pointer  is  within  bounds  of  the  stack. 
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EMET  5.0  New  Features 


EMET  5.0  includes  additional  exploit  mitigations 

•  Attack  Surface  Reduction 

•  EAF+ 

•  Deep  Hooks  Enabled 
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Attack  Surface  Reduction 


Reducing  attack  surface  critical  to  prevention  of 
exploitation. 

Examples: 

•  Only  allow  Java  in  Intranet  IE  zone. 

•  Don’t  allow  Flash  in  Microsoft  Word 
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EAF 


Export  Address  Filtering 


To  perform  useful  functionality,  shellcode  usually 
needs  to  call  exported  functions. 

e.g.  kernel32  IWinExec  () 

EAF  blocks  access  to  Export  Address  Table  (EAT) 
based  on  calling  address. 
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EAF+ 


Export  Address  Filtering  + 

•  Added  KERNELBASE  export  protection 

•  Integrity  checks  on  stack  registers  and  stack  limits 

•  Prevent  memory  operations  for  export  tables  when  they 
originate  from  suspicious  modules. 
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EAF+  In  Action 
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Enhanced  Mitigation  Experience  Toolkit 
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Do  you  want  to  send  more  information  about  this  issue? 

Additional  details  about  the  issue  reported  by  EMET  can  help  Microsoft 
investigate  further. 


What  information  is  included? 


Don’t  ask  me  this  again 


Send 


Don't  Send 


Internet  Explorer  has  stopped  working 


A  problem  caused  the  program  to  stop  working  correctly. 
Windows  will  close  the  program  and  notify  you  if  a  solution  is 
available. 


Close  program 
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EMET  5.0  TP 

EMET  detected  EAF+  mitigation  and  will  dose  the 
application:  iexplore.exe 

Image  Credit:  http://bloqs.technet.eom/b/srd/archive/2014/02/25/announcing-emet-5-0-technical-preview.aspx 
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Deep  hooks 


Protection  of  high-level  functions  applied  towards 
lower-level  function  as  well. 


Microsoft  has  been  working  with  vendors  to  make 
sure  to  ensure  deep  hooks  compatibility. 
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Use  EMET  to  stay  safe 


The  only  way  to  safely  run  applications  on  Windows 
is  to  use  EMET! 

•  Minimize  risk  of  delayed  patching 

•  Protect  against  known  vulnerabilities 

•  Protect  against  Oday  vulnerabilities 

•  Protect  against  future  vulnerabilities 
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EMET  Recommend  Configuration 


System  Status 

•  DEP  Application  Opt  Out 

•  SEHOP  Application  Opt  Out 

•  ASLR  Always  On* 

Import  Popular  Software. xml 
Add  every  application  you  care  about 
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For  More  Information 


Visit  CERT®  web  sites: 

http://www.cert.org 
http://www.cert.org/vuls/discoverv/ 

http://www.cert.org/blogs/certcc/ 
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Contact  Presenter 

Will  Dormann 

wd@cert.org 

(412)268-8922 

Contact  CERT: 

Software  Engineering  Institute 
Carnegie  Mellon  University 
4500  Fifth  Avenue 
Pittsburgh  PA  15213-3890 
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